Social Engineering 'Capture The Flag' Contest Returns To DefCon

Changes to this year's contest include some volunteer, high-profile target companies

Dark Reading Staff, Dark Reading

March 25, 2011

3 Min Read

The first-ever social engineering contest at DefCon in Las Vegas last year went way too well: each contestant was able to successfully social-engineer some piece of information, or "flag," out of their targeted company.

Chris Hadnagy, founder of, which sponsors the Social Engineering Capture The Flag contest, says this year's competition will target more industries including manufacturing, technology, and education, and will include some high-profile companies with aggressive internal security awareness programs that have volunteered as targets.

"We have two premiere targets [thus far] that have agreed to work with us and allow [contestants] to call them and social-engineer them," Hadnagy says. "They are willing to put their security awareness programs" up to the challenge publicly, he says.

Hadnagy says he can't release the names of the companies, but that people will be "shocked" to learn in which sectors these companies reside. The goal is for the contest to include half volunteer, high-profile targets, and the other half, selected by the contest organizers.

"We didn't make that offer to last year's target companies," he says. "Unless they made dramatic changes in the last twelve months, they wouldn't want to agree" to voluntarily be part of the contest, he says.

Another new feature to this year's contest will be a template for contestants to submit their audit reports on their preliminary reconnaissance. That's the phase prior to DefCon where they gather any information on their assigned target company online or via other passive data-gathering methods (no phone calls, email, or direct contact with the targeted firms). They score points for the reconnaissance information gathered as well as for the plan of attack, all of which must be submitted prior to DefCon.

The live portion of the contest at DefCon is a 20-minute window where the contestants phone their target and attempt to capture designated flags, everything from finding out who supplies the company's in-house cafeteria food to the type of antivirus program they are running. In last year's contest, the flag that brought home the highest number of points was getting the employee on the other end of the line to visit a URL.

The final list of flags for this year is still in the works, Hadnagy says. Like last year, contestants are forbidden from getting credit card numbers, social security numbers, passwords, or making the target feel "at risk." They can't use government agencies, law enforcement, or legal entities as a ruse to get inside, nor can they contact relatives or family of the targeted firm's employees.

Last year's final field of 17 contestants posed as journalists, IT survey-takers, and businessmen, for instance. The list of companies targeted in the contest included Google, BP, McAfee, Symantec, Shell, Microsoft, Oracle, Cisco, Apple, and Walmart.

Another new feature to this year's contest is a target ranking system. The targeted firms will get a final tally of how they fared in the contest, and companies will be compared with others in their industry.

"We will not release what information was obtained from the target companies," Hadnagy says. The goal is to help companies improve their security awareness programs, he says.

The contest will run from Friday, August 5 to Saturday, August 6. Registration is here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights